For Cloud Security, Mix It Up With Both Off and On-Premises Systems

Let's face it -- when it comes to cloud, everyone worries about security. Countless surveys find this is the number-one concern with an otherwise compelling business model. We're not just talking about data security, though that's a big part of it. There's also application security -- knowing that the services you need will be up and available when you need them. There's also vendor security as well. Will your cloud provider still be in business a year from now? Or, if they are in business, will they decide to change their business model underneath you? Those are all legitimate security concerns, not to be taken lightly.

Perhaps it's best to hedge your bets -- and not rely on just one cloud service, but multiple services -- including having a private cloud on-premises. ("On-premises cloud" -- uh oh, did I just mix buzzwords?)

But the ability to hedge your cloud bet is exactly what James Kaplan, Chris Rezek, and Kara Sprague, all with McKinsey, call for in a new report. Having a mixed portfolio of cloud services, as well as on-premises capabilities, may be the best way to guard sensitive data, they suggest. This is especially important since simply "refusing to use cloud capabilities is not a viable option for most institutions," they point out.

I might add that the mixed-cloud strategy they advocate also is great insurance against vendor lock-in and vendor business disruptions, planned and unplanned.

Not all data is equal -- some of it, such as personally identifiable information, is highly sensitive. Other types of data, such as sensor output, may be useless drivel to prying eyes. The McKinsey folks say a "mixed-cloud" approach should help sort this all out -- workloads with sensitive data can be run within the on-premises system, while workloads with less interesting data can be run by a cloud provider. For example, they say, development and testing may require far less security than live production environments. "The public cloud can be a good option for developing and testing software, since this usually does not involve sensitive data," the authors note. (However, developers often require realistic datasets to fully test their applications -- so be careful there.)

Here are examples of the types of data that best fit with each type of environment:

Essentially, any data that has business value or is covered by regulation needs appropriate management and protection. But using on-premises systems isn't necessarily the most secure option, the McKinsey team reminds us, noting that "both public- and private-cloud solutions can provide data-protection advantages compared with traditional, subscale technology environments. Cloud solutions improve transparency—for example, the centralized and virtualized nature of the cloud can simplify log and event management, allowing IT managers to see emerging security or resiliency problems earlier than might otherwise be possible. Likewise, in cloud environments, operators can solve problems once and apply the solutions universally by using robust automation tools."